Barrotes
Virus.DOS.Barrotes (Bars in Spanish) is a dangerous memory resident parasitic virus on DOS. Displaying vertical bars and/or destroying MBR are the main characteristics of this family. There are 17 variants, plus 1 sub-variant, having different infection behaviors, activation days or payloads. Behavior When the virus is loaded into memory, it first infects C:\COMMAND.COM, followed by hooking INT 21h to infect files that are executed. Generally they avoid files having the filename to prevent infection of antiviruses: MSAV MWAV Barrotes.840 and 849 These variants infect DOS executable files only. Barrotes.1127 This variant does not infect COMMAND.COM before staying memory resident, but F:\LOGIN.EXE instead, if available. It infects every executable that is run, and it does not check whether a file has been infected and it would reinfect the file, making the size of file grows on further infection. The virus cannot infect files that are larger than 64,409 bytes. Barrotes.1194, 1222, 1292, 1310, 1447, 1463, 1874 and Tecla.1303 These variants infect any executable file that is run, some of them might corrupt the files during infection and result a system hang. Barrotes.1292 displays the following text when the first infected file is run: Iniciando Filo-Windows 95 Virus by... Translation (from Spanish): Starting file-Windows 95 Virus by... Barrotes.1310.b, j and k do not infect COMMAND.COM before staying memory resident, this is because of the internal text string, as listed in later section, is not a valid file path. Additionally, variants B and J have anti-debugging feature that would hang the system if the user attempts to open an infected file when any of these variants is in memory. Barrotes.1310.d and e use i386 instructions to install itself into memory. Barrotes.Tecla.1303 is the encrypted variant. It infects COMMAND.COM in the same directory instead of that in root, which means C:\COMMAND.COM might not be infected if the virus is located in other directory. Barrotes.1461 Instead of C:\COMMAND.COM, this variant infects C:\DOS\KEYB.COM when it loads into memory, and this variant would reinfect files. Advanced details The following table shows the memory usage of the variants. MD5 hashes: Payload When activated, the virus decrypts the payload code, hooks INT 1Ch, displays several vertical bars, and a message at the up-left corner: Virus BARROTES por OSoft Translation (from Spanish): BARROTES Virus by OSoft Some variants may also destroy the MBR. Barrotes.840 and 849 These variants activate on January 5th, they display the message, draw grey vertical bars and destroy the MBR. Barrotes.1127 and 1292 These variants do not manifest themselves at anyway since their binaries do not contain the code of payload. Barrotes.1194 This variant is supposed to activate on 1st day in any month, by displaying the message, vertical bars and destroying the MBR, but failed. Barrotes.1222 This variant activates on May 25th, since it replaced the visible payload code with null characters so that it does not draw anything on screen but it would still hook INT 1Ch and might slow down the system speed a little bit and also to destroy the MBR. Barrotes.1310.a, b and j These variants activate on January 5th, they draw colorful vertical bars, and destroys the MBR (except J variant). For Barrotes.1310.b, if a keyboard input is detected after activation, it crashes the system. Barrotes.1310.d and e These variants activate on July 20th. They draw colorful vertical bars and display the following message instead of the original one: Virus MIKELON por MSoft Barrotes.1310.i This variant activates on May 23th. It draws colorful vertical bars and displays the following message instead of the original one: Araceli Escobar=ENANA+PUTA Barrotes.1310.k This variant activates on May 19th. It draws colorful vertical bars, destroys the MBR and displays the following message instead of the original one: Virus SuperDepor vK&S Barrotes.1447 and 1463 These variants destroy the MBR on activation, it also display a message at the top of the screen, and scroll all the text below it to left. ViRUS de G.D.R. ©PutoSO''f''T, NO HAY NADA COMO G.D.R. ¿¿ VERDAD ?? ;-) Translation (from Spanish): ViRUS by G.D.R. ©WhoreSOFT, THERE IS NOTHING LIKE G.D.R. RIGHT ?? ;-) It is originally set to activate on 22nd day of every month (hex value 16h), but failed due to a programming error, it is set to activate on 34th day of every month (22h = 34 in decimal), so the virus would never activate. Barrotes.1461 This variant activates on March 3rd. It corrupts disk sectors, clears the screen, and displays the message: This is virus RETRETE! Don't attempt to recover your disk yourself! Barrotes.1874 This variant displays message, draws vertical bars and plays a tune on activation. However the method of activation is currently unknown. Barrotes.Tecla.1303 This variant activates on September 23rd, it hooks INT 16h to change the scancode of keys that are entered. Variants This family has 18 variants in total: *Virus.DOS.Barrotes.840 *Virus.DOS.Barrotes.849 *Virus.DOS.Barrotes.1127 *Virus.DOS.Barrotes.1194 *Virus.DOS.Barrotes.1222 *Virus.DOS.Barrotes.1292 *Virus.DOS.Barrotes.1310 (A, B, D, E, I, J and K) *Virus.DOS.Barrotes.1447 *Virus.DOS.Barrotes.1461 *Virus.DOS.Barrotes.1463 *Virus.DOS.Barrotes.1874 *Virus.DOS.Barrotes.Tecla.1303 Other details A hoax program Hoax.DOS.Barrotes written by BERTOV1, it draws orange bars on the screen when run, but it does nothing harmful to the system. Virus.DOS.Piolin.1176 (Piolin) has been identified as a variant of Barrotes by some antivirus. Barrotes.840 contains the internal text strings: c:\command.com OS Barrotes.849 and 1292 contain the internal text strings: c:\command.com SO Barrotes.1127 contains the internal text strings: f:\login.exe l9 (plus 2 spaces) Barrotes.1194 contains the internal text strings: c:\command.com l7XS Barrotes.1222 contains the internal text string: lZ (plus ASCII ADh and ASCII DEh, possibly DEADh) Barrotes.1310 (A, D and E) contain the internal text strings: c:\command.com l7SO Barrotes.1310.b contain the internal text strings: Galiza Xakobeo l7SO Barrotes.1310.i contain the internal text strings: c:\command.com l7MV Barrotes.1310.j contain the internal text strings: Terror Again 97 l7SO Barrotes.1310.k contain the internal text strings: SuperDepor vK&S l7SO Barrotes.1447 and 1463 contain the internal text string: c:\command.com loXX Barrotes.1461 contains the internal text string: c:\dos\keyb.com Barrotes.1874 contains the internal text string: c:\COMMAND.com Barrotes.Tecla.1303 contains the encrypted internal text strings: C:\COMMAND.COM Sta Tecla (MAD1) ST References #Descriptions about the Barrotes virus on F-Secure Labs and Online VSUM #List of variants of the Barrotes virus on VX Heaven Media zh:Barrotes Category:DOS virus Category:DOS Category:Virus Category:TSR Category:MBR overwriting viruses Category:Assembly